# $Id: README,v 1.3 2011/10/17 21:08:55 ksb Exp $ # $Source: /usr/msrc/usr/local/bin/sudop/RCS/README,v $ Wrap op with a script that makes it work (mostly) like sudo. And also isolates us from the security problems of sudo. We want to present customers with an interface that behaves like sudo as much as possible while still taking advantage of our existing op infrastructure for configuration management and logging. The sudop wapper script calls the sudomap op rule: sudomap /usr/local/libexec/sudop/sudomap $1 ; uid=root dir=/usr/local/lib/op users=.* Which figures out how to map the sudo syntax to op. The sudomap rule uses mk to look through all the op configuration files for the marker "Sudop" and a submarker that's the full sudo-like path to an executable. (Note that the executable doesn't really have to exist. The name is only used to find the right op rule.) Only the first mk rule that matches is executed. It must return a single line on stdout consisting of 3 values seperated by exclamation marks (!). These are: 1) The real op rule that sudop should execute in place of the sudo rule. 2) The user the rule runs as. 3) The full sudo syntax for the command with REs to describe parameters. The first value is very important as it controls the behavior of sudop. The second two are only used with the "-l" switch to sudop when listing all rules. The inverse of thise (using sudo to run op setuid is explained in the README in master source to op). -- Alex and ksb, Feb 2007